Skip to main content
Mallory
Back to threat actors
9 malware families

Lockean

Also known asLockean

Lockean is a ransomware affiliate group tracked by CERT-FR. Over roughly 18 months, it compromised at least eight French companies, stole data, and deployed malware from multiple ransomware-as-a-service operations. CERT-FR first observed the group in 2020 in an attack on a French manufacturing company using DoppelPaymer; subsequent intrusions involved Maze, Egregor, ProLock, and REvil. Reported victims included Gefco, Ouest-France, Fareva, and Pierre Fabre, with four additional French victims not publicly named. Lockean operated as a multi-RaaS affiliate and used double extortion, stealing victim data before encryption. CERT-FR reported that the group typically kept 70% of paid ransom proceeds, with the remainder going to the RaaS operators. For initial access, Lockean most commonly relied on Qbot/QakBot, which was delivered via Emotet before its takedown and later via TA551; in at least one case, Lockean used IcedID. During intrusions, Lockean used Cobalt Strike for lateral movement and also employed Adfind, BloodHound, BITSadmin, and Rclone, including Rclone for data exfiltration. CERT-FR also identified TA551 as a collaborator in Lockean operations, helping affiliates deploy ProLock, Egregor, and DoppelPaymer on systems infected with Qbot/QakBot. External analysis cited in the reporting found indicators related to Conti infrastructure, suggesting possible additional RaaS affiliations, but the confirmed reporting in the content identifies Lockean primarily as a ransomware affiliate group active against French organizations.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Commercial & Professional Services
  • Pharmaceuticals, Biotechnology & Life Sciences
  • Media & Entertainment

Where they target

Geographies tied to known operations.

  • 🇫🇷 France
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics3 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
TA0010
Exfiltration
1 technique
T1048
Exfiltration Over Alternative Protocol
TA0040
Impact
1 technique
T1486
Data Encrypted for Impact
ARSENAL

Associated malware families

9 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Cobalt StrikeFor lateral movement, the threat actor used the Cobalt Strike penetration testing framework, and the freely available Adfind, BloodHound, and BITSadmin tools.1May 26, 2026
ContiLooking at the indicators of compromise in the report, Valery Marchive of LegMagIT found several IP addresses related to Conti ransomware, indicating Lockean’s affiliation to additional RaaS operations and targeting of businesses in other regions.1May 26, 2026
DoppelPaymerLockean activity was first noticed in 2020 when the actor hit a French company in the manufacturing sector and deployed DoppelPaymer ransomware on the network.1May 26, 2026
EgregorBetween June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.1May 26, 2026
IcedIDIn at least one known instance, Lockean used the IcedID malware distribution service to get access to the network.1May 26, 2026

4 additional families tracked in Mallory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
the hacker newsNews
Mar 25, 2026
Russian Hacker Sentenced to 2 Years for TA551 Botnet-Driven Ransomware Attacks

Ransomware gang that used TA551 distribution services after the Emotet takedown.

Read more
bleeping computerNews
Mar 25, 2026
Manager of botnet used in ransomware attacks gets 2 years in prison

A ransomware operation whose affiliates collaborated with TA551 to deploy multiple ransomware payloads on Qbot/QakBot-infected devices.

Read more
bleeping computerNews
Nov 4, 2021
Lockean multi-ransomware affiliates linked to attacks on French orgs

A multi-RaaS ransomware affiliate that compromised at least eight French companies, stole data, and deployed multiple ransomware families including DoppelPaymer, Maze, Egregor, ProLock, and REvil. The group used double extortion and common post-compromise tooling for lateral movement and data theft.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal9

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.